From 2d24f6ab69fa3a12156a33caeff5860b974fe0c3 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 31 Dec 2015 00:33:53 +0000 Subject: fix three bugs in KRL code related to (unused) signature support: verification length was being incorrectly calculated, multiple signatures were being incorrectly processed and a NULL dereference that occurred when signatures were verified. Reported by Carl Jackson --- usr.bin/ssh/krl.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'usr.bin') diff --git a/usr.bin/ssh/krl.c b/usr.bin/ssh/krl.c index 52e930e1020..3e2ac4a0cd8 100644 --- a/usr.bin/ssh/krl.c +++ b/usr.bin/ssh/krl.c @@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $OpenBSD: krl.c,v 1.36 2015/12/11 04:21:12 mmcc Exp $ */ +/* $OpenBSD: krl.c,v 1.37 2015/12/31 00:33:52 djm Exp $ */ #include /* MIN */ #include @@ -1013,7 +1013,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp, } /* Check signature over entire KRL up to this point */ if ((r = sshkey_verify(key, blob, blen, - sshbuf_ptr(buf), sshbuf_len(buf) - sig_off, 0)) != 0) + sshbuf_ptr(buf), sig_off, 0)) != 0) goto out; /* Check if this key has already signed this KRL */ for (i = 0; i < nca_used; i++) { @@ -1034,7 +1034,6 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp, ca_used = tmp_ca_used; ca_used[nca_used++] = key; key = NULL; - break; } if (sshbuf_len(copy) != 0) { @@ -1099,7 +1098,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp, r = SSH_ERR_INVALID_FORMAT; goto out; } - if (sshbuf_len(sect) > 0) { + if (sect != NULL && sshbuf_len(sect) > 0) { error("KRL section contains unparsed data"); r = SSH_ERR_INVALID_FORMAT; goto out; -- cgit v1.2.3